* Tests: fix random selection of deleted record causing test failure
* Tests: fix test folders being left after test
* Tests: ensure that required records are available
* Tests: make each package execute against it's own testdata folder to ensure no interpackage test failures
* Tests: add unit tests of CleanupTestFolder
* Tests: Allow defer in TestMain
* Tests: rename testMain to runTestMain
Add PHOTOPRISM_OIDC_PROMPT (--oidc-prompt) to forward the OpenID Connect
"prompt" parameter (login, select_account, consent) on the authorization
request, so a rejected user can re-authenticate or pick another account
instead of being silently signed in again. Unsupported values (including
"none", which would break interactive login) are dropped with a warning;
empty preserves the seamless-SSO default.
On a cluster-OIDC Sign-Out the instance now delegates the Portal session and the
upstream RP-logout to the Portal's end-session endpoint instead of doing them
itself: revokePeerSessions skips the Portal peer's backend DELETE (still clearing
its storage), and DeleteSession skips clearing the OP session cookie when it
returns a providerLogoutUri — otherwise the Portal OP could not resolve the
session (via that cookie) to chain the upstream logout. onLogout now resolves to
the chosen landing URL so the /logout route guard follows the provider logout URL
too. Adds the oidcLogout client-config accessor and an instance.portal session
marker so the Portal peer is identified explicitly rather than by URL shape.
Sign-out of an OIDC session redirects the browser to the provider's
discovered end_session_endpoint (id_token_hint + absolute
post_logout_redirect_uri) when PHOTOPRISM_OIDC_LOGOUT is enabled, so the
provider SSO session ends and the next login re-prompts. Opt-in (default
off); local/LDAP logout and providers without an end-session endpoint fall
back to local logout.
Adds the shared CE /api/v1/oauth/logout route and OAuthLogoutHandler hook
plus the Portal OP end_session_endpoint advertised in the Portal discovery
document, for Portal builds to serve via the override hook.
The relying-party state and PKCE cookies were left at the zitadel default Path=/, so on a shared-domain proxy (instances served under /i/<tenant>) they reached the callback only if the proxy rewrote the Set-Cookie path. They are now scoped to <base>/api/v1/oidc, covering both the login leg and the redirect callback, so they survive to the callback regardless of any proxy rewrite.
A user who signed in via cluster OIDC now returns to the Portal login (re-auth via OIDC) on sign-out instead of the instance's local form. The /logout route awaits the cluster-wide sign-out so the Portal OP cookie is cleared before the redirect, avoiding a silent re-SSO.
The OIDC RP callback handler returned without writing a response when
CodeExchangeUserInfo failed (e.g. a missing/expired state cookie), leaving
the raw zitadel error ("failed to get state: http: named cookie not present")
on screen with no way forward. CodeExchangeUserInfo now runs the exchange
against a recorder so the handler's raw error never reaches the browser, and
the callback renders the branded auth.gohtml page (which returns the user to
login) instead of a dead-end. Set-Cookie headers from a successful exchange
are still propagated.
Honor the pp_role claim (gated by pp_issuer_kind) over the group mapping so an instance login reflects the role the Portal granted, restricted to federatable roles.
Gate the OIDC relying-party cookie handler's WithUnsecure() on the existing
insecure flag instead of applying it unconditionally, so the round-trip state
(CSRF defense) and PKCE code_verifier cookies retain the Secure attribute on
HTTPS deployments. Addresses audit finding OJW-260603-02 (GO-HTTP-005).